Skip to content

DNS

Although AppJail does not include a DNS server, it includes some useful scripts for using your favorite DNS server. We just need to enable and start our DNS server and the appjail-dns RC script.

AppJail comes with a configuration file for dns/dnsmasq, so we will use it for these examples.

sysrc appjail_dns_enable="YES"
sysrc dnsmasq_enable="YES"
sysrc dnsmasq_conf="/usr/local/share/appjail/files/dnsmasq.conf"
touch /var/tmp/appjail-hosts
service dnsmasq start
service appjail-dns start

Tip

Instead of using the host IP, we can use if_tap(4). This is because if our IP address is not static, we can have problems.

sysrc cloned_interfaces="tap0"
sysrc ifconfig_tap0_name="ajdns"
sysrc ifconfig_ajdns="inet 172.0.0.1/32"
service netif cloneup
service netif start ajdns

Note

This document assumes the above configuration.

We now have our DNS server up and running, so we just need to tell the new jails to point to that server. This can be accomplished by simply editing /etc/resolv.conf on the host but this has some problems which are described in the next section. Another much simpler way is to set DEFAULT_RESOLV_CONF (default: /etc/resolv.conf) to a custom resolv.conf(5) file in our AppJail configuration file.

/usr/local/etc/appjail/appjail.conf

DEFAULT_RESOLV_CONF=/usr/local/etc/appjail/resolv.conf

/usr/local/etc/appjail/resolv.conf:

nameserver 172.0.0.1

Using /etc/resolv.conf as our resolv.conf(5) file

We need to modify /etc/resolv.conf, however we cannot simply edit this file as resolvconf(5) will modify it losing all the changes we have made.

/etc/resolvconf.conf:

name_servers="172.0.0.1"

It is not enough to modify resolvconf(5), we need to modify dhclient.conf(5) to force the use of our DNS server.

/etc/dhclient.conf:

supersede domain-name-servers 172.0.0.1;

And run:

# resolvconf -u
# cat /etc/resolv.conf
# Generated by resolvconf
nameserver 172.0.0.1

Changing /etc/resolv.conf of existing jails

If we already have some jails with an existing /etc/resolv.conf pointing to a different server, this is very easy to fix.

appjail cmd all local cp $resolv_conf etc/resolv.conf

Warning

$resolv_conf is only a shell variable, set it to a correct file before executing this command.

Example

appjail cmd all local cp /usr/local/etc/appjail/resolv.conf etc/resolv.conf

Testing our DNS configuration

We can now communicate with the jail using the host name instead of the IP address.

# appjail jail list -j python
STATUS  NAME    TYPE  VERSION       PORTS  NETWORK_IP4
UP      python  thin  13.2-RELEASE  -      10.42.0.4
# ping -c4 python.development.appjail
PING python.development.appjail (10.42.0.4): 56 data bytes
64 bytes from 10.42.0.4: icmp_seq=0 ttl=64 time=0.275 ms
64 bytes from 10.42.0.4: icmp_seq=1 ttl=64 time=0.212 ms
64 bytes from 10.42.0.4: icmp_seq=2 ttl=64 time=0.207 ms
64 bytes from 10.42.0.4: icmp_seq=3 ttl=64 time=0.216 ms

--- python.development.appjail ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.207/0.228/0.275/0.028 ms

Using shorter domain names

If you prefer a much shorter name than the one used above, you can set SHORTEN_DOMAIN_NAMES (default: 0) to 1 in your AppJail configuration file.

# ping -c4 redis
PING redis (10.42.0.16): 56 data bytes
64 bytes from 10.42.0.16: icmp_seq=0 ttl=64 time=0.244 ms
64 bytes from 10.42.0.16: icmp_seq=1 ttl=64 time=0.154 ms
64 bytes from 10.42.0.16: icmp_seq=2 ttl=64 time=0.216 ms
64 bytes from 10.42.0.16: icmp_seq=3 ttl=64 time=0.189 ms

--- redis ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.154/0.201/0.244/0.033 ms

Info

Use NETWORK_TO_SHORTEN (default: ${AUTO_NETWORK_NAME} which defaults to ajnet) defined in your AppJail configuration file to choose which network name to shorten.

When the above feature is enabled, you can use either the short or the long name. The network domain names are kept intact, so if you need to get the IP of the network you must use its long name, e.g. ajnet.appjail, so you cannot just use ajnet.